Our ETSI audit report (https://www.siemens.com/corp/pool/pki/siemens_etsi.pdf) states:
> An audit of the certification service, documented in a report, provided > evidence that the requirements of the following > specification have been fulfilled. The audit was conducted on 22th - 24th > February 2017 covering the timeframe > 27th February 2016 to 21st February 2017. It was a full audit covering all > aspects of the standard performed. > A second and third audit was performed on 19th and 20th June 2017 to > implement further Issuing CAs and in the time > between 23rd to 30th August. We repeat this full audit annually. From what I understand out of this discussion, this will meet your requirements, correct? If you want us to move from ETSI to Webtrust we, and probably every other CA relying on ETSI, would highly appreciate a reasonable grace period to do so, since we are already in the middle of the preparation of our next audit in February 2018. With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.siemens.com/ingenuityforlife -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+rufus.buschart=siemens....@lists.mozilla.org] On Behalf Of Kathleen Wilson via dev-security-policy Sent: Montag, 30. Oktober 2017 23:31 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: ETSI audits not listing audit periods On Monday, October 30, 2017 at 2:59:31 PM UTC-7, Ryan Sleevi wrote: > > I would expect that it would be incumbent on the CABs and the CAs > providing EN 319 411-1 certificates to help the community better > understand the level of assurance provided. That is, I think those > supporting the continued recognition of ETSI should attempt to > demonstrate where either the understanding of WebTrust-based audits or > EN 319 411-1 certificates is incorrect or inaccurate. Otherwise, I > think your conclusions - about no longer recognizing such schemes - are > reasonable. I hope that CAs who rely on ETSI audits are following this discussion forum, and that they will promptly add their comments/explanation here, and ask their auditors to do the same. I've filed this issue: https://github.com/mozilla/pkipolicy/issues/105 In which I said: ~~ I think that all CAs should be held to the same level of assurance/audits. So, I think we have two choices: 1) Remove ETSI as an acceptable audit scheme. 2) The ETSI folks update their audit schemes (that Mozilla's Root Store Policy currently allows) to meet our requirements about looking backward at certificate issuance data -- period-of-time audits as described above and in our policy and the BRs. ~~ Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy